This DPA replaces any Agreements between SiteHost and the Customer and details the rights and obligations of each parties for data privacy under Applicable Laws. Updates to this DPA may be posted at any time at our sole discretion and to ensure future compliance; the current version may be found at https://sitehost.nz/policies-compliance/data-processor-agreement.
Definitions
"Affiliates" means any subsidiaries, contractors, representatives, agents, vendors or distributors which, as determined by us in our sole and absolute discretion, assist in the performance of the SiteHost Services. "Customer Data" means all content, including without limitation, all data, text, audio, software (including machine images or processes), or visual (both static and dynamic) files that are provided to us by, or on behalf of, you through your use of the SiteHost Services, and all content provided by you or on your behalf relating to your Personal Data or the Personal Data of your End Users.
"Data Controller" has the meaning as defined in the EU Model Contract.
"Data Exporter" has the meaning as defined in the EU Model Contract.
"Data Importer" has the meaning as defined in the EU Model Contract.
"Data Processor" has the meaning as defined in the EU Model Contract.
"Data Subject" means any natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her/its physical, physiological, mental, economic, cultural or social identity, including without limitation, a full name, company name (if applicable), billing address, credit card number and expiration date, e-mail address, and source.
"EU GDPR" means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data);
"EU Model Contract" means the Data Processor Agreement and the Standard Contractual Clause C(2010)593 issued by the European Union European Commission, Directorate of General Justice as provided by us to our Customers in the European Economic Area.
"Personal Data" means any information relating to a Data Subject that you or your End Users directly or indirectly provide to us as part of the SiteHost Services or any Data Subject's use of any SiteHost Resource.
"Proprietary Rights" means any right, interest or authorized or permitted ability to use, distribute, redistribute, produce, reproduce or display any tangible or intangible property protected by patent, copyright, trade secret, trademark, or other intellectual property right.
“Processor” means an entity that processes Personal Data on behalf of the Controller.
“Processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” shall be interpreted accordingly.
“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data.
"Subprocessors" means any subsidiaries, contractors, representatives, agents, vendors or distributors engaged to process Customer Data as part of the SiteHost Services.
Scope
This DPA applies where Customer Data is processed by SiteHost. Specific provisions in this DPA are applicable where SiteHost processes Customer Data where that data includes any Personal Data which is subject to Data Protection Laws of the European Union, The European Economic Area and/or their member states, Switzerland and/or the United Kingdom. The Customer and SiteHost agree to comply with this DPA to comply with these laws.
Our Role
SiteHost provides hosting infrastructure and services which are made available to you as our Customer. As a digital infrastructure provider, the platforms provided to you are in your control and are highly flexible in enabling you to configure to your requirements, and in this capacity we act as your Data Processor and do not have any Proprietary Rights to any data that is accessed, maintained and/or transmitted by you or your End Users to or from SiteHost-managed infrastructure. Nothing in this DPA shall prevent SiteHost from using or sharing any data that SiteHost would otherwise collect and process independently of your use of our Services.
Customer Role
As a user of our services, you retain control of any data processed by SiteHost, so you are the Controller of any Personal Data. SiteHost shall only process this data on behalf of you, the Customer. The Customer agrees that as the Controller of any Personal Data, you will comply with any Data Protection Laws with respect to processing of that Personal Data and any instructions sent to SiteHost or SiteHost systems.
Our Obligations
As a Data Processor, we will only process data as permitted by the Agreement or your other instructions, or as necessary for our internal requirements related to the provision of Service. We will only process Personal Data as and when instructed by you and only to perform services in accordance with this Agreement, to ensure compliance with this agreement, or to comply with other lawful directions from you as the Customer which are consistent with this Agreement. No processing of Personal Data shall be made outside of this Agreement without a separate signed Agreement for that specific Processing.
Customer's Obligations
As the Data Controller, you acknowledge that you are at all times solely responsible for obtaining and maintaining Proprietary Rights for any and all Customer Data you instruct us to Process. You are solely responsible for how this data is accessed or used either directly or indirectly by you or any End Users you may have, including any intentional or un-intentional use or misuse of your SiteHost service or account. You are reponsible for the usage of SiteHost services and ensuring your services are maintained and secured using appropriate steps to ensure all steps for protecting and backing up Customer Data. Any passwords, keys or other access logins provided to you by SiteHost are for your use only and should also be secured by you. You are responsible for any End Users of any service provided by SiteHost to you and are responsible for any steps to secure or restrict access by End Users to any Personal Data. You are responsible to ensure End Users comply with obligations under this agreement and shall be responsible to provide any support required to any End Users. SiteHost will in no way be responsible to provide support to End Users or provide advice to End Users under this agreement.
Personal Data
In the event that a Data Subject makes a direct request to SiteHost to disclose, process or retrieve any information relating to Personal Data for which you are the Controller and SiteHost is the processor, we will promptly notify you of this request, unless prohibited to do so by relevant law or lawful directions by law enforcement agencies. We will not independently take any actions in relation to a request from a Data Subject without your prior written authorisation and instructions. We will cooperate with your reasonable requests for access to Personal Data and any other information required to assist with responding to a lawful request by a Data Subject.
Subprocessing
The Customer agrees that SiteHost may use sub-processors to process Personal Data. SiteHost shall ensure that any and all sub-processors who process Personal Data shall conform to our obligations under this Agreement. You expressly grant us authorization for (i) SiteHost to appoint our Affiliates to provide processing or sub-processing services and (ii) SiteHost and our Affiliates to appoint Subprocessors, including without limitation, third party data center, development, production, maintenance marketing, financing and customer support providers in connection to any SiteHost Resource or SiteHost Service.
SiteHost will provide you with a copy of our Subprocessors which relates to your use of a SiteHost Resource or SiteHost Service upon request. If you have a reasonable objection to a Subprocessor which relates to your use of a SiteHost Resource or SiteHost Service, you shall notify SiteHost of your objection in writing and SiteHost shall respond within thirty (30) days of such request (each a "Subprocessor Request"). SiteHost, at SiteHost's sole and absolute discretion, shall determine if we are able to provide the applicable SiteHost Resource or SiteHost Service without the use of the applicable Subprocessor. If SiteHost is unable to reasonably satisfy your concerns within ninety (90) days of a Subprocessor Request, you may terminate your Account subject to any term obligations.
Your failure to provide written objections or requests within any of the deadlines provided in Section 10.2 will be deemed to be a waiver of the applicable Subprocessor Request. SiteHost shall ensure that our Subprocessors shall only be engaged by written contract which imposes processing and sub-processing terms which are substantially no less protective of your Customer Data than this Agreement. SiteHost shall be responsible for procuring Suprocessor performance under this Agreement and shall be liable to Customer for any breach of your Customer Data by a Subprocessor, subject to any indemnification or subrogation agreements entered into by us and the applicable Subprocessor. In all instances not related to a breach of Customer Data by a Subprocessor, you and your End Users expressly acknowledge and agree that any disputes, controversies, claims or actions shall be raised in the first instance against the applicable Subprocessor and not against SiteHost.
Disclaimers and Releases
Global Transfers of Personal Data. To the extent that Personal Data originates from the European Economic Area or Switzerland, your transfers of Personal Data to us or to our Affiliates or Subprocessors are made subject to this Agreement, the EU GDPR and the EU Model Contract, with you acting as the Data Exporter and us and/or our Affiliates or Subprocessors acting as the Data Importer. The terms of this Agreement shall be read in conjunction with the EU Model Contract and/or any other appropriate transfer mechanism or device permitted by the laws of the United States of America and the European Union.
Disclaimer of Certain Issues. THE SiteHost SERVICES ARE PROVIDED "AS IS." WE, OUR AFFILIATES AND OUR SUBPROCESSORS MAKE NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, WHETHER EXPRESSED, IMPLIED, STATUTORY OR OTHERWISE REGARDING THE SiteHost SERVICES, INCLUDING ANY WARRANTY THAT THE SiteHost SERVICES WILL BE UNINTERRUPTED, ERROR FREE OR FREE OF RISK OR ADVERSE ELEMENTS, OR THAT ANY CONTENT, INCLUDING YOUR CUSTOMER DATA, WILL BE SECURE OR NOT OTHERWISE LOST OR DAMAGED. EXCEPT TO THE EXTENT PROHIBITED BY LAW, WE AND OUR AFFILIATES AND SUBPROCESSORS DISCLAIM ALL WARRANTIES, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR QUIET ENJOYMENT, AND ANY WARRANTIES ARISING OUT OF ANY COURSE OF DEALING OR USAGE OF TRADE.
Limitation of Liability and Indemnification
Indemnification. You will indemnify, defend and hold us, our Affiliates and our Subprocessors harmless from and against all claims, damages, losses, liabilities, costs and expenses (including reasonable attorney fees and legal costs) in connection with disputes, controversies, claims or actions made or brought by a third party arising from: (i) you and your End Users' breach of this Agreement or violation of any applicable law; (ii) you and your End Users' authorized or unauthorized use of the SiteHost Services; (iii) you and your End Users' authorized or unauthorized access, maintenance or transmission of content or data by or through SiteHost Resources; (iv) you and your End Users' wrongful or negligent acts or omission in connection with its performance of any SiteHost Service; (v) you and your End Users' infringement or misappropriation of any Proprietary Right(s); (vi) Customer's disclosure of any information that is confidential or protected by law and (vii) as between you and your End Users.
Amendments or Modification
This Agreement shall not be amended or modified, nor shall it be deemed, interpreted or construed to be amended or modified, without the prior written consent of an authorized representative of SiteHost. You agree that we may provide you with notices, including those regarding changes to this Agreement or any Service Level Agreements, by email or regular mail to be sent to the addresses listed in your Account or by publication on any SiteHost Resource(s). You must provide us with all notices through SiteHost Customer Support.
Security
Our Security
SiteHost shall maintain and implement appropriate technical and proceedural security measures to keep Customer Data protected from Security Incidents and help ensure the integrity and confidentiality of Personal Data.
Confidentiality
SiteHost shall ensure that only appropriately trained, screened and vetted personel should have access to SiteHost infrastructure where such personel need to have access to infrastructure and systems to ensure SiteHost systems are maintained and kept secure and available for reliable use. All staff, subprocessors, suppliers or contractors shall be required to act in accordance with this DPA and shall be subject to confidentiality agreements.
Incident Response
SiteHost maintains an Incident Response Plan. Appropriately trained SiteHost staff are familiar with our Incident Response plan which details responsibilities in the event of any Security Incident.
Incident Reporting
SiteHost's Incident Response Plan includes guidelines for timeframes for reporting initial and post-mortem reports in the event of an Incident which may affect Customer Data. Upon becoming aware of a Security Incident, SiteHost shall notify and provide appropriate information to the Customer inside a reasonable timeframe as information becomes confirmed and verified or as reasonably requested by the customer.
Severence
Whenever possible, each provision of this Agreement shall be interpreted to be effective and valid under applicable law. If, however, any such provision shall be prohibited by or invalid under such law, it shall be deemed modified to conform to the minimum requirements of such law, or if for any reason it is not so modified, it shall be prohibited or invalid only to the extent of such prohibition or invalidity without the remainder of such provision, or any other provision of these terms and conditions, being prohibited or invalid.